Trezor support for Zcash shielded transactions

link: ZF Grants - Trezor support for Zcash shielded transactions


Description of Problem or Opportunity

Initially, Zcash design excluded the possibility of signing shielded transactions in hardware wallets, since computational and memory resources required for calculating a transaction authorising zk-proof were enormous. In 2018, the Sapling update facilitated this by separating the spending authority from proving authority. This opens a new opportunity for implementing shielded transactions in hardware wallets.

We consider Zcash to be an important player in the cryptocurrencies innovation field, therefore we would like to contribute to mass adoption of shielded transactions by enabling users to store their shielded funds securely on the Trezor hardware wallet.

Proposed Solution

Subject of this grant is Trezor full support for Zcash Orchard (ZIP-224) shielded transactions. This includes necessary additions to Trezor firmware, Trezor Suite app and Trezor Connect API, which facilitates further integration with third-party wallets.

Solution Format

New code added to Trezor firmware, Trezor Suite and Trezor Connect via GitHub Pull Requests.

Technical Approach

From the beginning of 2021, Zcash has been working on the Orchard update, which brings a new transaction format, address unification, and other features. Simultaneously, it will require a creation of a new privacy pool, where users will migrate their funds after the Orchard activation at the end of 2021. After this pool transfusion, Sapling will become obsolete, which pushes the Orchard into the center of our interest.

We will follow the design in ZIP305. The spending key never leaves the device, proof authorizing and full viewing are sent to the computer to delegate computationally demanding tasks such as zk-proof authorization and blockchain scanning.

We will make use of the open source Rust code from zcash/librustzcash and zcash/orchard repositories. Since we already use Rust in the Trezor firmware codebase, integration of this new code should be straightforward. All firmware source code and unit tests will be available under GPLv3 licence. The new Zcash code for Suite and the Connect API will be written in TypeScript and will be available under MIT licence.

Trezor Firmware

The Zcash component of the Trezor firmware will be extended to fully support Zcash Orchard shielded transactions. (Transparent addresses are already supported). The code will be designed for Trezor Model T. Support for Trezor One will be achieved (unless there are unforeseen blockers found) by SatoshiLabs porting Trezor Model T firmware to Trezor One and is not part of this grant. Unlike Zondax’s Zcash Ledger app, shielded addresses will be derived according to ZIP32 (Orchard version) to maintain compatibility with other ZIP32-based third party wallets.

Trezor Connect API

Connect API will enable third party Zcash wallets to perform all necessary operations such as getting a shielded address and signing a shielded transaction.

Trezor Suite

We will implement Zcash shielded transactions into the Trezor Suite, the official Trezor desktop wallet. This step requires implementation of blockchain scanning, transaction zk-proof authorisation and communication with a Zcash full node.

How big of a problem would it be to not solve this problem?

Trezor users can not use Zcash shielded transactions with Trezor and will use other supported privacy-focused cryptocurrency such as Monero.

Execution risks

Since the Orchard update is still in progress and the roadmap is not set in stone yet, the whole project could be delayed by waiting for certain Orchard components and documentation. Further, we may discover new bugs in the Orchard crate while working with it.

Unintended Consequences Downsides

Zcash network is evolving, this will require an extra effort maintaining the newly added code in the Trezor firmware.

Evaluation plan

At the end of this project a user can receive, store, spend and manage their shielded and transparent Zcash funds using the Trezor and the Suite. Third parties can integrate Trezor’s Zcash transactions into their wallets using the API.

For evaluated goals, see milestones.

Budget and Payout Timeline

We propose a rate of $10,000 USD per 1 month of work as a framework. There are 13 months of work which means $130,000 USD in total.

For payout timeline, see milestones.

Applicant background

SatoshiLabs: Inventors of Trezor, the first hardware wallet. Creators of many standards used across the whole cryptocurrency industry.

Tomas Krnak: Fascination with the concept of shielded transactions was one of the reasons why I decided to study cryptography. My enthusiasm has not faded. Four years and thousand pages about zk-proofs later, I’m finishing my master degree in cryptography at the Charles University and I am glad that I will have the opportunity to fully utilise my theoretical knowledge and coding skills to realise this project.

19 Likes

It would be great to have shielded hw wallet support.

The zondax team had a hard time dealing with zcash jubjub ecc due to the limitations of the ledger hardware (memory, stack & cpu). Could you confirm that this will not be the case for Trezor?

Thanks

1 Like

Trezor Model T is much more capable device with more RAM, so I believe this should not be the problem. (Ledger Nano S = 28 MHz MCU, 10 KB RAM; Trezor Model T = 168 MHz MCU, 128 KB RAM).

8 Likes

@prusnak — good news! ZOMG has decided to fund your proposal!

We agree that hardware wallet support for Zcash transactions is a very big deal, and we’re happy to be able to support Trezor to make that happen.

9 Likes

I’m incredibly glad that this process has finally started. This will have a huge effect on increasing the new shielded pool. And after this happens, criticism about the fact that no one needs Z-addresses will be broken. Thanks to all!

4 Likes

Thank you all for encouraging comments and for funding the project!

12 Likes

We are glad to announce the submission of milestone M.1. During past two months we

  • analyzed design and memory and computational requirements of all Zcash primitives
  • explored transaction shielding and authorization data flows
  • added basic structure of zcash app into trezor-firmware monolith
  • enabled alloc feature on Trezor to facilitate orchard crate import
  • added no_std+alloc support for all necessary Orchard crates

This effort results in direct import of orchard crate into Trezor, including all necessary primitives and schemes like key generator, action commitment or transaction signing.

Finally we are excited to announce that we are not far from submission of M.2.

More details on milestone M.1: ztrezor/M.1_report.md at main · jarys/ztrezor · GitHub

15 Likes

I guess this means “really close” :sweat_smile: Thanks for the update @agi! Good luck with the project. Can’t wait to see this work being published to production.

2 Likes

Thanks a lot for your work!
Two questions please:

  1. Did I understand correctly from the report that 11 seconds for one operation, this means the operation of sending one transaction? If so, that’s cool!
  2. Will Zсash have its own firmware or is it an integration as part of a common multicurrency firmware for Trezor T?

Thank You!

1 Like

Thanks! Yes, I meant we are really close :sweat_smile:

4 Likes
  1. It is 11s per Orchard Action (=one input + one output). But just in case we wanted to optimize memory usage. Current (and preferred) approach is to allocate the Sinsemilla table (64kB) in the flash memory. Then a commitment computation takes a fraction of a second.

The paragraph about Sinsemilla in the report (@artkor reacted to) was redundant and confusing. I deleted it.

  1. Currently, Trezor firmware is a monolith and its design doesn’t allow to separate individual apps, like Ledger does.
3 Likes

Thanks for the update.
Is the expected timeline for completion July 2022?

2 Likes

Many thanks! Now everything is very clear to me! This will be a great event, I’m not afraid to say “turning point” for Zcash.

2 Likes

@prusnak

Hello Pavol!

I don’t know the actual numbers, but it seems to me that most Trezor users have Model One wallets.
At least for the whole time I ordered a total of 9 Model One wallets and only two Model T.

Can you at Trezor discuss the possibility of a promo code (for example, “SHIELDED_IT”) with some discount for ordering Model T wallets and coincide this with the release of firmware containing support for the Orchard pool? I mean closer to the release date.

By the way, this will allow to estimate the primary effect on sales to some extent.

2 Likes

Great idea artkor and I would definitely avail of that.

And exciting update from the Trezor team, great to see progress being made.

2 Likes

We are glad to announce submission of the milestone M.2. New features are

  • Derivation of spending keys according to the ZIP-32
  • Orchard shielded addresses
  • Unified Addresses according to the ZIP-316
  • Get an address and viewing keys via trezorctl command
  • Review an address on display (text or QR code)

This moves us to the 3rd and the most complex stage of the firmware development - transaction signing.

More details on M.2: ztrezor/M.2_report.md at main · jarys/ztrezor · GitHub

16 Likes

Love the execution speed! Looks like milestones are delivered before the deadline. Do you see next three milestones delivering before the set deadlines, if so, does it make sense to update them :slight_smile: ?

5 Likes

I do my best :slight_smile: but I don’t wanna promise anything. Unexpected obstacles can appear so I prefer to have a time reserve instead of updating deadlines.

10 Likes